The threat is no longer theoretical. The Ethereum Foundation claims to have helped identify around 100 North Korea-linked IT workers across 53 crypto projects in just six months, through its ETH Rangers program. This figure is striking because it shows that infiltration is no longer limited to spectacular hacks. It also involves profiles hired, integrated, then left as close as possible to sensitive access.
In brief
- The Ethereum Foundation says it helped identify 100 DPRK operators across 53 crypto projects.
- The risk now comes as much from hiring as from technical flaws.
- The response is progressing, but the ecosystem remains very exposed.
An alert that goes beyond simple news
The signal sent by the Ethereum Foundation is clear: risk also comes from within. In its report published on April 16, it explains that the Ketman Project, supported by the ETH Rangers program, contacted around 53 projects and identified around 100 DPRK operators active in Web3 organizations. It's no longer a blind spot. It's an ecosystem problem.
This detail changes the reading of the subject. For a long time, the crypto industry has mainly looked at smart contract flaws, compromised keys and poorly secured bridges. But here, the entrance door is human. We infiltrate a team, we gain their trust, then we get closer to critical permissions. The front line leaves pure code to move towards recruitment, operations and governance.
This is what is most embarrassing for the sector. This mechanic seems trivial at first. A credible freelancer, a competent developer, a fake recruiter, a well-polished identity. Then the affair changes scale. Chainalysis also notes that North Korea is now obtaining more massive thefts with fewer incidents, in particular by integrating IT workers into crypto companies or by resorting to sophisticated usurpations.
The real danger is human before being technical
The figures for 2025 set the scene. According to Chainalysis, more than $3.4 billion stolen in the crypto ecosystem over the year, including 2.02 billion allocated to North Korean actors, up 51% over one year. Above all, these groups represented 76% of the service compromises identified. We are therefore no longer talking about one actor among others. We are talking about the main state risk in the sector.
The model is known, but it is gaining in finesse. The US Treasury explains that these teams rely on false documents, stolen identities and fabricated personas to obtain real positions, while the regime recovers most of the revenue generated. Some operations go further and also introduce malware or serve to exfiltrate sensitive data. The pay slip then becomes a lever of access.
The Drift affair reignited this fear at the wrong time. Chainalysis estimates that the $285 million hack suffered by the crypto protocol Solana on April 1, 2026 presents signals compatible with DPRK actors, after an operation prepared for months and supported by social engineering. Even with attribution still in progress, the message is brutal: human compromise can precede financial damage by a long way.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
